10-09-2009 #1iUnknown Guest
Decrypting the PS3/HDD Pairing Ideas
I'm going to start this off by apologizing if my question or thought is ignorant as I do not know too much about the PS3 encryption system. If it is useless, mods please delete this post.
I cannot imagine how much time, effort, and energy all of you guys have spent on this machine so I hope no one is insulted by my input but merely see it as a thought by someone who isn't too close to the subject matter.
My question/thought revolves around decrypting the PS3/HDD pairing. When booting up, the PS3 will identify the HDD connected, if it doesn't recognize the key it holds, it will ask to format the drive. Could we not then connect the PS3 via SATA to a PC running an HDD emulator program, where the PS3 is fooled into thinking its connected to an HDD, ask to format, and when saying yes, the PS3 would send the encryption 'key' through SATA while running the format operation?
If this is possible, then the 'key' can be used when re-pairing any HDD with that specific PS3 unit by formatting it using that given 'key', giving devs the opportunity to modify information on the HDD while keeping the encryption intact.
Again, my humblest of apologies if this is a naive and uninformed post. Please know that my intention is purely in the realm of trying to help. Hope it does.
10-09-2009 #2CJPC Guest
Well, the issue is that data in the clear is never sent past the HDD controller, all of the encryption/decryption is done in-system, essentially on the fly built into the files ystem drivers.
So the PS3 would never have the need to send the key to the HDD alas, since its done internally!
10-09-2009 #3iUnknown Guest
Would it not be possible to deduce a key by recording the information sent from the PS3 to the target HDD sequentially? Unless of course, the data isn't event sent sequentially which would add to the headache. I'm just wondering if a set of known data was written multiple times (ie. a demo), it should be possible piece together how it was written (since we know what the whole looks like prior to it being written), thereby creating a 'key' (keyword: "a" and not "the").
10-09-2009 #4CJPC Guest
Comparing the encrypted data looking for patterns is a good idea, however with recent cryptological advances, it could end up taking quite a while to find a pattern, let alone use it against itself!
10-10-2009 #5RexVF5 Guest
Let me put it another way: the PS3's operating system expects to find a valid filesystem on HDD (that can be checked by a first block(s)). If it doesn't it asks you to format the HDD.
Now for the encryption: the OS actually doesn't see encrypted data - HDD driver takes care of it using a key stored somewhere in PS3. So when you connect new HDD the OS tries to read the first sector, which is decrypted by HDD driver using that console's key. If the result of decryption is not a valid first sector it will ask you to format the drive.
Or from the opposite direction: OS asks to writes unencrypted data to HDD which is quietly encrypted by HDD driver using console's key and written to disk. When it attempts to read the data back, HDD driver quietly decrypts it and provides it to OS. So for the OS the drive seems to be unencrypted...
The console's key in question is thus never written to HDD - doesn't need to be - it is just used to encrypt/decrypt data. When you try to read disk from different console the key won't match which will result in data unrecognizable to OS...
10-10-2009 #6DSpider Guest
Can the HDD serial number be faked ? Like through an emulator or a separate device (modchip anyone?) that "emulates" another HDD's specs ?
Or maybe the key is generated randomly to work only for that HDD... Or maybe the key is unique to each PS3 (like the IDStorage of the PSP Slim).
10-10-2009 #7iUnknown Guest
The PS3 seems to come up with multiple unique keys per HDD. Having said that, as Rex mentioned, the OS is never really aware of them (when accessing the HDD). As I don't think anyone knows how the PS3 generates the keys (otherwise I assume we wouldn't be talking about this) I'm wondering if there is a limit to the unique keys it generates.
Part of why I was curious about monitoring the output of the SATA port on the PS3 to sniff out some patterns and see if the HDD layout would be duplicated after X number of times (insinuating the same key has been used more than once, assuming we're writing the same information to the HDD each time). I would guess this would give us a lead but as CJPC mentioned, probably take forever.
10-11-2009 #8ionbladez Guest
Guys not to sound stupid here, but I'd like to throw in my two cents.
If anyone has tested it yet, try taking 2 HDDs of different or the same size.
Format both of them on the same PS3, then view the data on them with a hex editor.
This should give us the answer to the HDD serial number.
But with my experience in encryption, I believe sony wouldn't have tied it down to the hdd itself.
In fact - They must be using the motherboard SN as well as (maybe the BBE chip) to marry the HDD to the board.
I mean, if we think of it straight-forward, we could easily put the same HDD with a lower FW from THE SAME SYSTEM, and it would probably read it and prompt for an update (Never tried it, anyone else?)..
Or the two of the same hdds with the same fw version from the same system.
I do understand that their encryption alg is chained - and we could be heading in the right direction IF we did put a "middle-man" in between the HDD and PS3, we could do that with multiple HDDs and run the "middle-man" into a data comparer, that way it wouldn't take an load of a long time.
My experience with FS algorithms isn't too great, but I do know that the first sector is usually untouched, since if it was, the PS3 would toss it and ask for a format. No one would sink that low as to encrypt the header in the first 1024 bytes on the HDD.
I do know as much that the PS3 is in fact using FAT or FAT32. I've been scanning a bit left and right and doing a ton of research against this, but nothing that would help anyone at the time.
So what we're dealing with is a system SN and possible BBE chip SN that is used as the block key. and by block key I mean their whole algorithm key.
If anyone wants to correct me, Go right ahead. But I'm not new to cryptography or filesystems OR computers for that matter.
Any questions, I will clarify everything I've said.
10-11-2009 #9Frago Guest
Decrypting the PS3/HDD with Norton partition magic
I have an idea, 2-3 months ago decrypting the PS3 HDD with Norton partition magic i discovery something, i havent nothing to then and what i do to spend my time i took my ps3 60pal hdd and i connect it on my pc, my windows wasnt recognize it but when i try it to open with the norton was open!!!
it was in 2 parts and it have some folders i wasnt know what they are and i wasnt touch it, i want to find the isos from the linux that i have made but i dont made it i wasnt know what i do so then i took it off. then was the problem nothing error until i connect it back to ps3, then the ps3 was saying that the ps3 hdd was error and need format to continue.. i dont know the mistake i did.
i someone want to give a try and made it and tell us what its wrong here is a link with the norton: http://norton-partition-magic.en.sof...wnload#pathbar
10-11-2009 #10DSpider Guest
Come on... How could Partition Magic read an ENCRYPTED drive ? Do you have any idea what you're talking about ?